package org.jfrog.security.ssl;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.jce.X509KeyUsage;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.util.IPAddress;
import org.jfrog.security.util.BCProviderFactory;

/* loaded from: input_file:org/jfrog/security/ssl/SignedCertificateBuilder.class */
public class SignedCertificateBuilder {
    private X500Principal iss;
    private PrivateKey issPrivateKey;
    private X500Principal sub;
    private BigInteger serialNumber;
    private PublicKey subPublicKey;
    private Long expireIn;
    private int certVersion;
    private boolean useSubForSAN = false;
    private List<GeneralName> sanValues = new ArrayList();
    private boolean isCA = false;
    private boolean isTLS = false;
    private static final String SIG_ALG = "SHA256WithRSA";
    private static final String BC_PROVIDER = "BC";
    public static final ASN1ObjectIdentifier CERT_VERSION_OID = new ASN1ObjectIdentifier("2.5.29.17.1").intern();
    private static final long ONE_DAY_IN_MS = 86400000;
    private static final long MAX_EXPIRY;

    public static SignedCertificateBuilder builder() {
        return new SignedCertificateBuilder();
    }

    public SignedCertificateBuilder iss(String str) {
        this.iss = new X500Principal("CN=" + str);
        return this;
    }

    public SignedCertificateBuilder iss(X500Principal x500Principal) {
        this.iss = x500Principal;
        return this;
    }

    public SignedCertificateBuilder issPrivateKey(PrivateKey privateKey) {
        this.issPrivateKey = privateKey;
        return this;
    }

    public SignedCertificateBuilder sub(String str) {
        this.sub = new X500Principal("CN=" + str);
        return this;
    }

    public SignedCertificateBuilder sub(X500Principal x500Principal) {
        this.sub = x500Principal;
        return this;
    }

    public SignedCertificateBuilder serialNumber(BigInteger bigInteger) {
        this.serialNumber = bigInteger;
        return this;
    }

    public SignedCertificateBuilder subPublicKey(PublicKey publicKey) {
        this.subPublicKey = publicKey;
        return this;
    }

    public SignedCertificateBuilder expireIn(Long l) {
        this.expireIn = l;
        return this;
    }

    public SignedCertificateBuilder certVersion(int i) {
        this.certVersion = i;
        return this;
    }

    public SignedCertificateBuilder isCA(boolean z) {
        this.isCA = z;
        return this;
    }

    public SignedCertificateBuilder isTLS(boolean z) {
        this.isTLS = z;
        return this;
    }

    public SignedCertificateBuilder sanValue(GeneralName generalName) {
        this.sanValues.add(generalName);
        return this;
    }

    public SignedCertificateBuilder sanIpOrDnsValue(String str) {
        if (IPAddress.isValid(str)) {
            this.sanValues.add(new GeneralName(7, str));
        } else {
            this.sanValues.add(new GeneralName(2, str));
        }
        return this;
    }

    public SignedCertificateBuilder useSubForSAN() {
        this.useSubForSAN = true;
        return this;
    }

    public Certificate build() throws CertificateGenerationException {
        try {
            return CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(buildX509Certificate().getEncoded()));
        } catch (CertificateException e) {
            throw new IllegalStateException("Failed to convert X509 certificate.", e);
        }
    }

    public X509Certificate buildX509Certificate() throws CertificateGenerationException {
        try {
            X509v3CertificateBuilder x509v3CertificateBuilder = getX509v3CertificateBuilder(new Date(System.currentTimeMillis() - ONE_DAY_IN_MS), getEndDate(this.expireIn == null ? Long.MAX_VALUE : this.expireIn.longValue()));
            GeneralName[] sANContent = getSANContent();
            if (sANContent.length > 0) {
                x509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(sANContent));
            }
            addCertificateVersion(x509v3CertificateBuilder, this.certVersion);
            return getSignedCertificate(this.issPrivateKey, x509v3CertificateBuilder);
        } catch (Exception e) {
            throw new CertificateGenerationException("Failed to generate signed certificate: " + e.getMessage(), e);
        }
    }

    private Date getEndDate(long j) {
        if (j < 0) {
            throw new IllegalArgumentException("'expire in' must be a positive number");
        }
        long currentTimeMillis = System.currentTimeMillis() + j;
        return new Date((currentTimeMillis < 0 || currentTimeMillis > MAX_EXPIRY) ? MAX_EXPIRY : currentTimeMillis);
    }

    private X509v3CertificateBuilder getX509v3CertificateBuilder(Date date, Date date2) throws IOException {
        X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(X500Name.getInstance(this.iss.getEncoded()), this.serialNumber == null ? BigInteger.ONE : this.serialNumber, date, date2, X500Name.getInstance(this.sub.getEncoded()), SubjectPublicKeyInfo.getInstance(new ASN1InputStream(this.subPublicKey.getEncoded()).readObject()));
        if (this.isCA) {
            x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, new X509KeyUsage(132)).addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
        } else if (this.isTLS) {
            ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
            aSN1EncodableVector.add(KeyPurposeId.id_kp_serverAuth);
            aSN1EncodableVector.add(KeyPurposeId.id_kp_clientAuth);
            x509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, true, new DERSequence(aSN1EncodableVector)).addExtension(Extension.keyUsage, true, new X509KeyUsage(160)).addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
        }
        return x509v3CertificateBuilder;
    }

    private void addCertificateVersion(X509v3CertificateBuilder x509v3CertificateBuilder, int i) throws CertIOException {
        DERSequence dERSequence = new DERSequence(new ASN1Encodable[]{CERT_VERSION_OID, new ASN1Integer(i)});
        ArrayList arrayList = new ArrayList();
        arrayList.add(new GeneralName(0, dERSequence));
        x509v3CertificateBuilder.addExtension(CERT_VERSION_OID, false, GeneralNames.getInstance(new DERSequence((GeneralName[]) arrayList.toArray(new GeneralName[0]))));
    }

    private GeneralName[] getSANContent() {
        if (this.useSubForSAN) {
            this.sanValues.add(new GeneralName(2, IETFUtils.valueToString(X500Name.getInstance(this.sub.getEncoded()).getRDNs()[0].getFirst().getValue())));
        }
        return !this.sanValues.isEmpty() ? (GeneralName[]) this.sanValues.toArray(new GeneralName[0]) : new GeneralName[0];
    }

    private X509Certificate getSignedCertificate(PrivateKey privateKey, X509v3CertificateBuilder x509v3CertificateBuilder) throws OperatorCreationException, CertificateException, IOException {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(x509v3CertificateBuilder.build(new JcaContentSignerBuilder(SIG_ALG).setProvider(BC_PROVIDER).build(privateKey)).getEncoded());
        try {
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(byteArrayInputStream);
            byteArrayInputStream.close();
            return x509Certificate;
        } catch (Throwable th) {
            try {
                byteArrayInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    static {
        Calendar calendar = Calendar.getInstance();
        calendar.set(7000, 0, 1, 0, 0);
        MAX_EXPIRY = calendar.getTimeInMillis();
        BCProviderFactory.getProvider();
    }
}
